image area

Recovering and Preserving Public Records in the Age of Electronic Documents By Robert J. Kerwin, Esq.

Tuesday, June 01, 2010

Recovering and Preserving Public Records in the Age of Electronic Documents

By Robert J. Kerwin, Esq.

The Legislature long ago established that government records must be preserved, maintained and made available to the public in accordance with state law (M.G.L. Ch. 66, Sect. 8). The state’s Supervisor of Public Records, meanwhile, has required municipalities to implement policies governing the backup and archiving of electronic public records (SPR Bulletin No. 1-99). The supervisor has further required municipalities to make “reasonable” efforts to recover any electronic public records that are lost. What constitutes “reasonable” efforts in any given instance is at this point fact-specific. The supervisor, however, has not publicly addressed the financial costs involved in the recovery of public records.

With the explosion of electronic documents, most municipal public records are expected to be of an electronic variety within a few years. So the issue of managing and recovering electronic documents is of importance to every municipality. If not properly managed, “personal storage tables” (i.e., files) containing e-mail records may be lost when one simply replaces a hard drive or upgrades software. Given that all municipalities eventually upgrade their computers and software, all municipalities are at risk of losing electronic documents. Complicating matters is the fact that a municipality may not be aware of the loss of records for some time. Where a municipality has many employees, it is not always possible to know when documents are lost.

The effort to recover electronic public records may entail the retention of an outside computer forensic expert. Indeed, in one instance, the supervisor of public records required a municipality to retain an outside computer forensic firm. For the municipality, this cost could be a significant contingent liability that was not budgeted or anticipated. Like other professionals, a computer forensic expert frequently bills by the hour. The hourly cost may vary, depending on whether the expert is being asked to take down a system, obtain a mirror image of the hard drive, or locate specific files. In many cases, these activities must be conducted outside of business hours, and the forensic expert may charge a higher rate for work that must be done at night or in the early morning. It is important, where possible, to establish the expected cost of an activity up front.

Recovering Files

As of five years ago, the average corporate user was sending thirty-four e-mails per day and receiving ninety-nine, or a total of 133 e-mails, according to the Radicati Group’s E-mail Archiving Corporate Survey. For 2010, the Radicati Group projects that each user will send and receive a total of 199 e-mails per day, with the number rising to 228 in 2011. Data retention, therefore, is no small task.

Microsoft Outlook is the most popular program for storing e-mail data locally. When one deletes an e-mail, it is sent to the “trash,” also known as the “deleted items folder.” When a user “empties” the deleted items folder, all the deleted messages ostensibly disappear. The “deleted” items may, however, still be in the user’s computer. Depending upon the e-mail system used, the deleted e-mail data will either be in plain text in the unallocated space or may be stored in some binary fashion. If an e-mail repair utility such as Advanced Outlook Repair is used to recover e-mails, one may recover whole and fragmented messages from the unallocated areas of a computer.

Sometimes, it’s important to establish that an effort was made to recover e-mails from an individual user’s computer. If called upon to produce evidence that demonstrates that searches were made of a computer, it will be helpful that the computer forensic expert is able to confirm that the work was performed in an established manner. The Advanced Outlook Repair and “Encase” tools are commonly used. Indeed it may be helpful to ensure that the computer forensic expert has a facility in operating Encase, or another similar software tool such as FTK, F-Response or other e-discovery tools. In terms of computer forensic qualifications, one should discern whether the forensic professional is schooled in a protocol that provides a systematic manner to undertake the recovery. By way of example, the protocol may be that the hard drive of the computer be forensically imaged and write-blocked to preserve data. A backup copy is made and physically secured in an off-site safe. After the case preparation process (which may include mounting all compound files and recovering references to deleted files that may be missing their parent folders), the forensic expert may run an analysis that may aid in discerning whether document extensions were renamed in an attempt to hide vital evidence. One can also apply a comprehensive e-mail filter to locate any active mail files that reside on the computer.

Frequently, the project may involve working with the municipality to establish a series of searches to discern whether the document may be recovered from the hard drive’s unallocated space. Key word searches are often used to locate missing e-mails. These are beneficial, but could also generate confusion to those reviewing the work being undertaken. For example, a key word search may generate a number of “hits” in the unallocated space, but these hits may include—and often do include—unintelligible sentence fragments. Some observers may confuse “hits” with actual readable e-mails, even though the number of readable e-mails may be substantially less than the number of “hits.”

The limitations of key word searches to recovery are perhaps obvious. The searches require that the public entity undertaking the search recall generally the subject matter or person to whom the e-mail is addressed and identify the users with whom he or she may have communicated. This approach to the recovery of “lost” e-mails may only uncover a limited number of messages. It’s also important to keep in mind that unallocated space is constantly being used and overwritten. Since one often cannot discern the full scope of the lost e-mails, the number of searches to be conducted is likewise within the discretion of the municipality. It should be noted that if e-mail has been “double-deleted,” the number of hits will vary from the number of readable e-mails. The process of discerning what is readable and what is not readable is a time-intensive activity. As noted, even recoverable e-mails will frequently contain some sections of gibberish. Given the sheer volume of e-mails sent and received over many months, such key word searches can be daunting, and confirmation of full recovery based on e-mail searches is, in and of itself, difficult. It is therefore not entirely possible to say that all e-mails have been recovered. The reverse is also true: it is difficult to say that all e-mails have not been recovered. When combined with examination of the backup systems and examination of archived e-mails, however, the recovery can be more complete.

System Back-Ups

Most systems have some form of backup that can aid in the recovery of lost e-mails. Such back-up systems, however, are not as easily accessible as the name suggests. Recovering the back-up for a particular computer may be time-consuming and difficult. It seems counter-intuitive, but most back-up systems really are not readily accessible.

A more efficient form of recovery may be the use of an E-Discovery tool such as the auto archive system, if installed. Such an archiving system allows one to recover instantly the documents that were ostensibly lost. If there are internal e-mail archives, such as with an Enterprise Vault System, one can recover lost public records more easily. It will be helpful to use duplication tools, so that one may discern unique mail items from duplicates. The up-front costs of auto-archiving are not small, but given the panoply of public records requests often received by a municipality, this may be the most cost-effective way to go, long-term, to recover lost e-mails and to respond to public record requests.

An effective e-mail retention policy will go a long way toward avoiding the necessity for an extended public document recovery process. If the public records are archived on a periodic basis such may prove to reduce the necessity of an expensive recovery program.  The new draft guidelines of the Secretary of State contemplate training for e-mail users, expanded identification of public records (i.e. Facebook and other social media) and a prohibition on automatic deletion of public records.  With the avalanche of electronic documents, however, it is clear that recovery programs, when necessary, will become less costly and more sophisticated as time and technology progress. This is good news for municipalities seeking to preserve and recover public records.

Robert J. Kerwin is a former president of the City Solicitors and Town Counsel Association and a shareholder in the Boston firm Tarlow, Breed, Hart & Rodgers, P.C.

A version of this article appeared in Municipal Advocate, Vol. 25, No. 2. Click here to view the published article. (PDF)